Normally in the past, I've managed that the production server only serves http(s) to the internet, and is isolated from it's database by a firewall which only allows database queries to travel. However, I have a situation where a bunch of workers using MS office manipulate files living on a domain. These files also need to be served to customers, so I was thinking that the webserver could have domain privileges such that it could access the folders with those files and only those folders. Obviously this means that the filewall separating the webserver from the domain would need to allow a bunch of ports, for being authenticated to the domain, file sharing, etc. How unsafe is this? Any advice on how to make it better? It'd be IIS 7.5 running on 2008.

I suggest an audit of this IIS server be done with the Microsoft TCM Spider tool. I believe that Coalfire Systems has a contract to provide this service with the Microsoft ACE team.

It also depends on what else runs on the IIS server. For example, MySQL (not normally installed in a Windows environment, but it's good to specify these things) will run under the SYSTEM account. If it becomes compromised through a SQL injection, then it is likely that all accounts, including domain accounts, will be compromised.

However, the situation doesn't differ much if MS-SQL is installed, although recent version of MS-SQL are at least run with lower privileges.

I did not know about the Spider tool. Thank you, and good info about later versions of MS-SQL running with lower privileges. I'm still at 2005, maybe that's reason enough to go to a higher level.
–
KnoxMar 29 '11 at 20:42